But it's not clear to me how they are actually used, or if there is in
fact a way to bypass MFA on a per-service basis.
Bypass rules cannot be done per service now. Certainly something that can be
added in a follow-up minor release perhaps. Some examples in the docs describe
typical use cases, but nothing that can be done per service, if you have
enabled MFA globally.